-
Notifications
You must be signed in to change notification settings - Fork 1
Understanding Error Codes
vendeeglobe edited this page Jul 8, 2026
·
1 revision
When Bad Behavior blocks a request, it generates a specific 8-character hexadecimal "status key" (e.g., 17f4e8c8). This key is logged in your database and displayed to the blocked user on the 403 error page.
This status key corresponds to a specific rule that was triggered. Below is a list of the most common error codes and their meaning to help you troubleshoot why an IP was banned.
-
17f4e8c8: User-Agent was found on blacklist.- Explanation: The User-Agent string matched a known spambot, vulnerability scanner, or email harvester.
-
96c0bd29: URL pattern found on blacklist.-
Explanation: The requested URL contained known malicious patterns (like SQL injection probes
union+selector path traversal../).
-
Explanation: The requested URL contained known malicious patterns (like SQL injection probes
-
136673cd: IP address found on external blacklist.- Explanation: The IP was found on an external DNS Blackhole List (e.g., Spamhaus) or http:BL.
-
17566707: Required header 'Accept' missing.-
Explanation: Normal web browsers and well-behaved bots always send an
Acceptheader. Missing this usually indicates a primitive bot script.
-
Explanation: Normal web browsers and well-behaved bots always send an
-
a1084bad: User-Agent claimed to be MSIE, with invalid Windows version.- Explanation: The user agent claimed to be Internet Explorer but contained a Windows version string that MSIE never actually uses (e.g., "Windows ME" or "Windows XP" directly in the UA).
-
2b90f772: Connection: TE present, not supported by MSIE.-
Explanation: IE doesn't use the
Connection: TEheader. If this is present alongside an MSIE user agent, it is a spoofed bot.
-
Explanation: IE doesn't use the
-
939a6fbb: Banned proxy server in use.-
Explanation: The
Viaheader revealed the use of a known spam proxy (like "pinappleproxy").
-
Explanation: The
-
cd361abb: Referer did not point to a form on this site.-
Explanation: A POST request was made, but the HTTP Referer indicated the form was submitted from an off-site location (unless
Allow Offsite Formsis enabled).
-
Explanation: A POST request was made, but the HTTP Referer indicated the form was submitted from an off-site location (unless
-
dfd9b1ad: Request contained a malicious JavaScript or SQL injection attack.-
Explanation: The POST data or URI contained active exploit payloads like
document.writeor SQL injection markers.
-
Explanation: The POST data or URI contained active exploit payloads like
-
f9f2b8b9: A User-Agent is required but none was provided.- Explanation: A POST request was made with a completely empty User-Agent string, which legitimate browsers never do.
-
7ad04a8a: Prohibited header 'Range' present.-
Explanation: A Range header starting at
0-was detected. Real browsers do not request byte ranges starting at 0; this is a hallmark of specific scraping bots.
-
Explanation: A Range header starting at
-
f1182195/71436a15/e4de0453: User-Agent claimed to be a major search engine, claim appears to be false.- Explanation: The bot claimed to be Googlebot, Yahoo, or MSN, but the IP address did not match the official CIDR ranges for those search engines.
-
e87553e1: I know you and I don't like you, dirty spammer.- Explanation: A hardcoded block for specific, highly persistent spammer IP addresses.
If a legitimate user is blocked and gives you a code, you can look it up here to explain to them what part of their browser, proxy, or firewall is misconfigured.